CloudSEK’s contextual AI digital risk platform XVigil has identified an increase in supply and demand for services that abuse Google Ads to deliver malware payloads and loaders, across various dark web and cybercrime forums.
Overview of the service:
|Category: Adversary Intelligence||Threat Type: Malvertisement||Motivation: Financial||Region: Global||Source*: D2|
- Price: USD 4,500 - 5,000
- Redirect victims to malicious sites
- Automatically deliver payloads or loaders
- Reduce the time taken to host and carry out malicious campaigns
Information from Cybercrime ForumsOn 13 May 2022 a threat actor shared a post, on a Russian-language cybercrime forum, advertising a Google Ad service that converts a victim device to a bot. The threat actor claims that the Google Ad service was initially developed for their own use. However, they are now renting it out to other actors.
Features of the Google Ad Service
- The threat actor claims that the Google Ad service:
- Directs victims who click on the ad to a legitimate-looking malicious page.
- And after performing certain checks, downloads the loader onto the victim’s device.
- The loader operates based on the victim. For instance, a victim searching for a PDF reader will be directed to a fake PDF site and download the loader along with the PDF software.
- The loader’s features include:
- Compatibility with Windows 10 and Windows 11.
- Ability to run exe/dll/msi with administrator or system rights.
- Complete bypassing of Windows Defender.
- No alerts from SmartScreen.
- Complete bypassing of Google Chrome, even if the user has the highest security settings.
- The payload is issued depending on the structure of the network:
- If the network belongs to an individual, multiple payloads can be delivered to the system.
- However, if the network belongs to a corporation, a payload will be delivered only if it is the main controller domain of the company.
Demand for Google Ad ServicesThere has been an increasing demand for Google Ad services on cybercrime forums: This demand has led to an increase in the number of posts advertising Google Ad services: Threat actors looking for services that rely on Google Ads